Overview

overview

10

Static

static

1

aeace0a8ab...18.vbs

windows7-x64

10

aeace0a8ab...18.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    15-06-2024 13:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aeace0a8ab23c3ce61d5350201e0e941_JaffaCakes118.vbs

  • Size

    88KB

  • MD5

    aeace0a8ab23c3ce61d5350201e0e941

  • SHA1

    85c24929f4c1464636e0c6cce6d86973d980a009

  • SHA256

    530be52b6fab0cbe77614e8321abf7aa90e410a7ebe654c67aece01f6f37ea51

  • SHA512

    e44ab057cfbe18fecf41fb1b15d3b0824fe55127083c33d1e23eb77c7484eaaf4937a2c88fdc91de92f6960eb3e8a1152a407dd68213ff99330d40241407f360

  • SSDEEP

    1536:5KQf2k2MLd2AbmVSJUYH4PzKXZBHCRP/9uRHMV7lmbFYcobOH+arEczQp:nn2Ab64laengHVVkfH4CQ

Score
10/10
wshratpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://jeffserver.duckdns.org:3355

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 50 IoCs
  • Drops startup file 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aeace0a8ab23c3ce61d5350201e0e941_JaffaCakes118.vbs"
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2792
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\keSoCVJrPF.vbs"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:2676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aeace0a8ab23c3ce61d5350201e0e941_JaffaCakes118.vbs
    Filesize

    88KB

    MD5

    aeace0a8ab23c3ce61d5350201e0e941

    SHA1

    85c24929f4c1464636e0c6cce6d86973d980a009

    SHA256

    530be52b6fab0cbe77614e8321abf7aa90e410a7ebe654c67aece01f6f37ea51

    SHA512

    e44ab057cfbe18fecf41fb1b15d3b0824fe55127083c33d1e23eb77c7484eaaf4937a2c88fdc91de92f6960eb3e8a1152a407dd68213ff99330d40241407f360

    Download Submit

  • C:\Users\Admin\AppData\Roaming\keSoCVJrPF.vbs
    Filesize

    38KB

    MD5

    392479347086b65e281338b4fc966a1f

    SHA1

    3c92a54853777094544adb6b832fb2d904869b0b

    SHA256

    d9f6ba700117da69da10241c27e799fe982fc20cfe36f76486b7396abfa42772

    SHA512

    ea1827b4abbf64c5294ce2a237a4d7c145fff5e1eac5a03fed2b80da925a73d99772f027ba8c608d50e945bf60793fa9a6d5e368380475771e118889d0fbae2b

    Download Submit